Merge "Allowing userdebug/eng builds crash dump access to ks"
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 616f00c..9233a4d 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -17,8 +17,16 @@
-vendor_init
-vold
}:process { ptrace signal sigchld sigstop sigkill };
+
+# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
userdebug_or_eng(`
- allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump {
+ apexd
+ keystore
+ llkd
+ logd
+ vold
+ }:process { ptrace signal sigchld sigstop sigkill };
')
###
@@ -35,6 +43,7 @@
init
kernel
keystore
+ userdebug_or_eng(`-keystore')
llkd
userdebug_or_eng(`-llkd')
logd
diff --git a/public/keystore.te b/public/keystore.te
index 7a6074b..155322c 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -40,4 +40,5 @@
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-neverallow * keystore:process ptrace;
+# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
+neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;